[Bug] execute_code sandbox fails with bubblewrap namespace error

[up-guillaume]

Problem

The execute_code tool fails with:

bwrap: No permissions to create new namespace, likely because the kernel does not allow non-privileged user namespaces.

Impact

• Agents cannot execute shell commands via execute_code
• Agents cannot run docker ps, ssh, or other system commands
• Agents fall back to MCP tools (which may not be available)
• Limits agent autonomy for system administration tasks

Root Cause

The sandbox uses bubblewrap (bwrap) which requires user namespaces. The kernel on the staging server does not allow non-privileged user namespaces.

Current Workaround

Agents use MCP tools instead:

• mcp_ssh_bridge_ssh_exec for SSH commands
• mcp_ssh_bridge_ssh_docker_ps for Docker
• mcp_ssh_bridge_ssh_postgresql_query for PostgreSQL

Investigation Needed

1. Check kernel configuration:

   sysctl kernel.unprivileged_userns_clone

2. If disabled, enable it:

   echo 'kernel.unprivileged_userns_clone=1' >> /etc/sysctl.conf
   sysctl -p

3. Alternative: Use a different sandboxing mechanism (Docker, chroot, etc.)

Security Considerations

• User namespaces can be a security risk if not properly configured
• Need to balance security vs functionality
• Consider using AppArmor/SELinux profiles for additional protection

Acceptance Criteria

• Root cause identified (kernel config vs bubblewrap issue)
• Sandbox works for basic commands (echo, ls, pwd)
• Sandbox works for Docker commands (docker ps)
• Sandbox works for SSH commands (ssh host command)
• Security review completed
• Documentation updated with sandbox limitations